Privacy Policy

Last updated: February 23, 2026

This Privacy Policy describes how BAGHOLDER ("we," "us," or "our") collects, uses, and protects your information when you use our mobile application.

Information Stored on Your Device

BAGHOLDER stores the following data locally on your device using encrypted storage (iOS Keychain / Android Keystore for secrets, SQLite for structured data):

Date of birth verification status
App settings and preferences
Transaction history (round-ups, purchases, and DCA schedules)
Portfolio snapshots
Monthly activity summaries
Issue reports

This data is NOT transmitted to our servers and remains exclusively on your device.

Information Stored on Our Server

Our server stores the following data in a secured PostgreSQL database:

Payment charge records (Stripe payment intent ID, charge amount, fee amount, wallet address, status, timestamp)
Gas funding records (wallet address, transaction hash, ETH amount, timestamp)

These records are necessary for payment processing and gas funding. They do not include your name, email, phone number, or any personally identifiable information (PII).

Information We Do NOT Collect

BAGHOLDER does not collect or store on any server:

Private keys or wallet seed phrases
Your name, email address, or phone number
Biometric data (device authentication returns a boolean only)
Bank account credentials or login information
Social Security numbers or government IDs
Location data or IP addresses

Third-Party Services

BAGHOLDER integrates with third-party services that process your data under their own privacy policies:

Stripe (bank account linking and payment processing)

Stripe connects to your bank account via Stripe Financial Connections (read-only access) to retrieve transaction data for round-up calculations. Stripe also processes ACH bank charges for USD-to-USDC conversion. Stripe may collect your bank account information, transaction history, and payment details. We receive only transaction amounts, merchant names, and payment status confirmations — we do not receive your account numbers or login credentials.
See: stripe.com/privacy

Privy (wallet creation)

Privy creates and manages your embedded wallet using multi-party computation (MPC). Privy may collect your email address or social login credentials for authentication. We do not receive or store these credentials.
See: privy.io/privacy

Firebase (analytics and crash reporting)

We use Firebase Crashlytics for crash reporting and Firebase Remote Config for feature flags. Crash reports may include device model and OS version but no PII.
See: firebase.google.com/support/privacy

CoinGecko (market data)

We fetch public cryptocurrency price and market data. No user data is shared with CoinGecko.

Data Retention

Local data: stored until you delete your account or uninstall the app.
Server payment records: retained for 7 years for tax and accounting purposes.
Server gas funding records: retained for 3 years.

Your Rights

You have the right to:

Export your data at any time from Settings.
Delete all local data by using the Delete Account feature in Settings. Upon deletion, all local data is permanently erased, Stripe bank access is revoked, and your Privy session is disconnected.
View your transaction history and monthly summaries at any time within the app.
Request deletion of server-stored data by contacting us at support@getbagholder.com.

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to know what personal information we collect and how it is used.
Right to delete your personal information.
Right to opt out of the sale of your personal information. We do NOT sell your personal information.
Right to non-discrimination for exercising your rights.

To exercise these rights, contact us at support@getbagholder.com.

Geographic Availability

BAGHOLDER is available in 45 U.S. states and the District of Columbia. BAGHOLDER is not available in New York, Hawaii, Connecticut, Louisiana, or Vermont due to state-specific regulatory requirements.

Children's Privacy

BAGHOLDER is not intended for anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information.

Security

We use industry-standard security measures to protect your data, including:

Encrypted local storage (iOS Keychain / Android Keystore)
HTTPS for all server communication
Multi-party computation (MPC) for wallet key management via Privy
API keys stored server-side only, never on your device

No system is 100% secure. You are responsible for securing access to your device.

Changes to This Policy

We may update this privacy policy from time to time. The current version is always available in the app under Settings. If we make material changes, you will be asked to review and accept the updated policy.

Contact Us

If you have questions about this privacy policy, contact us at:
support@getbagholder.com
getbagholder.com